Javascript is not activated in your browser. This website needs javascript activated to work properly.
You are here

Personal data and written consent

The Swedish Personal Data Act (or PUL) is designed to protect people from having their personal integrity violated by the processing of personal data. You as an employee may need to apply the law in situations where someone’s personal data are to be processed.

General information about the Personal Data Act

There are some main concepts in the Personal Data Act that can be useful for you to know.

Personal data

Personal data means any information that is directly or indirectly attributable to a physical, living person.


The rules in the Personal Data Act regarding processing refers to any measure or series of measures taken in respect to personal data. It is a broad term that covers collecting, recording, storing, adapting, distributing, compiling, and more.

Personal data controller

The personal data controller is the officer who, alone or together with others, determines the purposes and means of the processing of personal data. You as an employee are never responsible for personal data, but rather the public authority or company – in this case, Lund University.

PUL contains rules on how personal data may be processed. To a large extent, the protection of personal integrity in PUL is based on the consent of and information to the registered persons. Under certain circumstances, the law allows that personal data may be processed without the consent of the persons concerned. The rules are stricter when it comes to sensitive personal data and personal identity numbers.

Among other things, PUL also includes provisions on the security of personal data and rectification of inaccurate information.

The vast majority of the provisions of PUL do not need to be applied when processing personal data from unstructured materials, such as running text. In such cases, the processing of personal data is permitted as long as it does not involve a violation of that person’s integrity.

On the following pages you will find more information about processing personal data in specific situations:

Special provisions in the Personal Data Act

Responsibility for and notification of the processing personal data

How Lund University will adapt to the forthcoming Data Protection Ordinance

On 25 May 2018, a new Data Protection Ordinance (DSF) will replace the Swedish Personal Data Act (PUL). The DSF (Dataskyddsförordningen) is the Swedish name for the EU General Data Protection Regulation (GDPR). The aim with GDPR is to strengthen the right to privacy and to adapt legislation on personal data management to the digital society. Another aim is to harmonise EU legislation in the field and thus facilitate the flow of information within the Union.

The new rules clarify and place higher demands on the University regarding personal data management. In order to facilitate adaption to the new legislation, the management at Lund University has initiated a project entitled "Personal data management within Lund University". You can read more about this in the Project plan: Personal data management within Lund University (in Swedish).

You can also find further information on The Swedish Data Protection Authority's website.

Page Manager:


For questions about personal data – contact the personal data representative at Lund University:

Johanna Alhem
Legal Counsel
+46 46 222 09 85
johanna [dot] alhem [at] legal [dot] lu [dot] se

Carl Petersson
Legal Counsel
+46 46 222 76 41
carl [dot] petersson [at] legal [dot] lu [dot] se

Telephone: +46 (0)46-222 00 00 (switchboard)
Mailing adress: Box 117, 221 00 Lund, Sweden
Invoice adress: Box 188, 221 00 Lund, Sweden
Organisation number: 202100-3211

Site manager: staffpages [at] lu [dot] se

About this website